I'm not entirely clear on your question. However, there is a strange behavior on real gear that you might not expect. Traffic sourced from the router itself is not checked against egress acl's. I just wanted to mention that.